Skip to content
This repository has been archived by the owner. It is now read-only.
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


repoSpanner is a distributed repository storage server, based around Git.

It is designed so that all nodes are equal -- any client can push/pull to/from any node and should see no difference at all. Each node makes sure that all pushed objects are synced to at least a majority of the nodes before acknowledging the push.

The system should be resilient against any nodes failing, as long as a majority of nodes remains available; with the worst case being a single push failing due to an attempt to push to the failed node.

Note: As a consequence of this, it is strongly suggested to deploy regions with odd numbers of nodes.


There are two ways to deploy repoSpanner:

Repository access

After the nodes are installed and running, the service will be available on https://<node.fqdn>/.

Client certificates

To create leaf certificates (for admin and to push/pull), run:

$ repospanner ca leaf <username>

And then arguments for whether the user is an admin (--admin), can pull (--read), and/or push (--write); and for which regions and repositories this certificate is valid (globbing possible), e.g.:

$ repospanner ca leaf admin --admin --write \
    --read --region "*" --repo "*"


You can create repositories with repospanner admin repo create <name>, for example:

$ repospanner admin repo create repospanner


For git repo pull/push, add a /repo/.git. Example clone command for default https port on tcp/443 and repo name being "test"

git clone \
--config http.sslcert=/etc/pki/repospanner/someuser.crt \
--config http.sslkey=/etc/pki/repospanner/someuser.key \
--config http.sslCAinfo=/etc/pki/repospanner/<repospanner-CA>.crt \

Alternatively, for ssh based pushing and pulling, make sure that the users' entry console is the repobridge binary, and the client_config.yml file is setup in /etc/repospanner. This client will automatically revert to plain git if it determines the repo that is being pushed to is not a repospanner repository.

Operating Repospanner cluster

TLS/x509 certificates renewal

As repospanner uses TLS between all components (server to server, client to server, etc), it's important that you check the default validity of those certificates. You can use basic openssl command to check default validity (1y per default):

openssl x509 -in node1.cluster1.crt -noout -text|grep -A 3 Validity
            Not Before: Sep 17 13:43:13 2018 GMT
            Not After : Sep 17 13:43:13 2019 GMT

If you have to renew, you'll have to recreate certififcates with same CN but also exact same NodeID (used in repospanner). First you have to find the NodeID for that node :

repospanner ca info /path/to/node1.cluster1.crt 
Certificate information:
Certificate type:  Node
repoSpanner cluster name:
repoSpanner region name: cluster1
repoSpanner Node Name: node1
repoSpanner Node ID: 2

As we have now identified that Node ID is two, we can just issue a new key/crt for that node (you'll have to delete existing .crt/.key file first otherwise repospanner would complain that those already exist with panic: Node certificate exists) :

repospanner ca node --nodeid 2 --years 30 cluster1 node1

You can now replace on your node and restart repospanner instance


If you would like to get involved in repoSpanner development, take a look at the Contribution guide.


Distributed Git storage server







No releases published


No packages published

Contributors 4